Skip to content

Commit

Permalink
FAPI Test: Add failure test no root certificate.
Browse files Browse the repository at this point in the history
It is now checked whether the provisioning fails if the appropriate
root certificate does not exist.
For this purpose the EK certificate is generated with a self
signed certificate which is not in the list of the FAPI cerificates.

Signed-off-by: Juergen Repp <[email protected]>
  • Loading branch information
JuergenReppSIT committed Jan 15, 2024
1 parent 50b7608 commit 3aa1e49
Show file tree
Hide file tree
Showing 6 changed files with 99 additions and 8 deletions.
9 changes: 9 additions & 0 deletions Makefile-test.am
Original file line number Diff line number Diff line change
Expand Up @@ -404,6 +404,7 @@ FAPI_TESTS_INTEGRATION = \
test/integration/fapi-policy-or-nv-read-write.fint \
test/integration/fapi-second-provisioning.fint \
test/integration/fapi-provisioning-error.fint \
test/integration/fapi-provisioning-cert-error.fint \
test/integration/fapi-info.fint \
test/integration/fapi-unseal.fint \
test/integration/fapi-unseal-persistent.fint
Expand Down Expand Up @@ -2547,6 +2548,14 @@ test_integration_fapi_provisioning_error_fint_SOURCES = \
test/integration/fapi-provisioning-error.int.c \
test/integration/main-fapi.c test/integration/test-fapi.h

test_integration_fapi_provisioning_cert_error_fint_CFLAGS = $(TESTS_CFLAGS) \
-DSELF_SIGNED_CERTIFICATE
test_integration_fapi_provisioning_cert_error_fint_LDADD = $(TESTS_LDADD)
test_integration_fapi_provisioning_cert_error_fint_LDFLAGS = $(TESTS_LDFLAGS)
test_integration_fapi_provisioning_cert_error_fint_SOURCES = \
test/integration/fapi-provisioning-cert-error.int.c \
test/integration/main-fapi.c test/integration/test-fapi.h

test_integration_fapi_quote_destructive_fint_CFLAGS = $(TESTS_CFLAGS)
test_integration_fapi_quote_destructive_fint_LDADD = $(TESTS_LDADD)
test_integration_fapi_quote_destructive_fint_LDFLAGS = $(TESTS_LDFLAGS)
Expand Down
2 changes: 1 addition & 1 deletion script/ekca/create_ca.sh
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ mkdir certreqs certs crl newcerts private
touch intermed-ca.index
echo 00 > intermed-ca.crlnum
echo 2000 > intermed-ca.serial
echo "abcdef" > pass.txt
echo "123456" > pass.txt

cp "${EKCADIR}/intermed-ca.cnf" ./
export OPENSSL_CONF=./intermed-ca.cnf
Expand Down
4 changes: 3 additions & 1 deletion script/ekca/init_ca.sh
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ if test -e $CA_DIR; then
exit
fi
mkdir -p $CA_DIR
echo "CA build in \"$CA_DIR\" realpath: \"$(realpath $CA_DIR)\"" 1>&2

pushd "$CA_DIR"

Expand Down Expand Up @@ -78,7 +79,7 @@ mkdir certreqs certs crl newcerts private
touch intermed-ca.index
echo 00 > intermed-ca.crlnum
echo 2000 > intermed-ca.serial
echo "abcdef" > pass.txt
echo "123456" > pass.txt

cp "${EKCADIR}/intermed-ca.cnf" ./
export OPENSSL_CONF=./intermed-ca.cnf
Expand Down Expand Up @@ -128,3 +129,4 @@ openssl ca -gencrl -cert ../root-ca/certs/intermed-ca.cert.pem \
openssl crl -in intermed-ca.crl.pem -outform DER -out intermed-ca.crl

popd #intermed-ca
sync
6 changes: 6 additions & 0 deletions src/tss2-fapi/api/Fapi_Provision.c
Original file line number Diff line number Diff line change
Expand Up @@ -895,6 +895,12 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
#pragma message ( "*** Allow self generated certifcate ***" )
root_ca_file = getenv("FAPI_TEST_ROOT_CERT");

if (root_ca_file && strcasecmp(root_ca_file, "self") == 0) {
/* The self signed root cert will be used as intermediate certificate. */
context->state = PROVISION_PREPARE_READ_INT_CERT;
return TSS2_FAPI_RC_TRY_AGAIN;
}

if (!root_ca_file && ifapi_io_path_exists(FAPI_TEST_ROOT_CERT_FILE)) {
root_ca_file = FAPI_TEST_ROOT_CERT_FILE;
}
Expand Down
65 changes: 65 additions & 0 deletions test/integration/fapi-provisioning-cert-error.int.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
/* SPDX-License-Identifier: BSD-2-Clause */
/*******************************************************************************
* Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
* All rights reserved.
*******************************************************************************/

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <stdlib.h>

#include "tss2_fapi.h"
#include "tss2_esys.h"

#include "test-fapi.h"
#include "fapi_util.h"
#include "fapi_int.h"
#include "tss2_esys.h"

#include "esys_iutil.h"
#define LOGMODULE test
#include "util/log.h"
#include "util/aux_util.h"
#include "tss2_mu.h"
#include "fapi_int.h"


/** Test the FAPI cleanup in an error case.
*
* Tested FAPI commands:
* - Fapi_Provision()
*
* @param[in,out] context The FAPI_CONTEXT.
* @retval EXIT_FAILURE
* @retval EXIT_SUCCESS
*/
int
test_fapi_test_provisioning_cert_error(FAPI_CONTEXT *context)
{
TSS2_RC r;

#ifndef SELF_SIGNED_CERTIFICATE
return EXIT_SKIP;
#endif


setenv("FAPI_TEST_ROOT_CERT", "self", 1);
setenv("FAPI_TEST_INT_CERT", "./ca/root-ca/root-ca.cert.pem", 1);

r = Fapi_Provision(context, NULL, NULL, NULL);

if (r == TSS2_FAPI_RC_GENERAL_FAILURE)
return EXIT_SUCCESS;

LOG_ERROR("Test with self signed certificate did not fail.");
return EXIT_FAILURE;

}

int
test_invoke_fapi(FAPI_CONTEXT *fapi_context)
{
return test_fapi_test_provisioning_cert_error(fapi_context);
}
21 changes: 15 additions & 6 deletions test/integration/main-fapi.c
Original file line number Diff line number Diff line change
Expand Up @@ -856,7 +856,7 @@ get_ecc_ek_public(TSS2_SYS_CONTEXT *sys_context, EVP_PKEY **evp_pub)

}

char pwd[6] = "abcdef";
char pwd[6] = "123456";

int pass_cb(char *buf, int size, int rwflag, void *u)
{
Expand Down Expand Up @@ -949,7 +949,7 @@ load_intermed_cert_and_key(const char *ca_key_path, EVP_PKEY **ca_key,
unsigned long err = ERR_get_error();
char err_buffer[256];
ERR_error_string_n(err, err_buffer, sizeof(err_buffer));
LOG_ERROR("Failure in BIO_read_filename %s", err_buffer);
LOG_ERROR("Failure in BIO_read_filename \"%s\" %s", ca_cert_path, err_buffer);
goto error_cleanup;
}
*ca_crt = PEM_read_bio_X509(bio, NULL, NULL, NULL);
Expand All @@ -965,7 +965,7 @@ load_intermed_cert_and_key(const char *ca_key_path, EVP_PKEY **ca_key,
unsigned long err = ERR_get_error();
char err_buffer[256];
ERR_error_string_n(err, err_buffer, sizeof(err_buffer));
LOG_ERROR("Failure in BIO_read_filename %s", err_buffer);
LOG_ERROR("Failure in BIO_read_filename \"%s\" %s", ca_key_path, err_buffer);
goto error_cleanup;
}
*ca_key = PEM_read_bio_PrivateKey(bio, NULL, pass_cb, NULL);
Expand Down Expand Up @@ -1264,11 +1264,20 @@ init_ek_certificates(TSS2_SYS_CONTEXT *sys_ctx)
goto error_cleanup;
}

rc = load_intermed_cert_and_key("ca/intermed-ca/private/intermed-ca.key.pem",
#ifdef SELF_SIGNED_CERTIFICATE
/* The self signed root cert will be used as intermediate certificate. */
rc = load_intermed_cert_and_key("./ca/root-ca/private/root-ca.key.pem",
&intermed_key,
"ca/intermed-ca/intermed-ca.cert.pem",
"./ca/root-ca/root-ca.cert.pem",
&intermed_cert);
if (rc != TSS2_RC_SUCCESS) {
#else
rc = load_intermed_cert_and_key("./ca/intermed-ca/private/intermed-ca.key.pem",
&intermed_key,
"./ca/intermed-ca/intermed-ca.cert.pem",
&intermed_cert);
#endif

if (rc != TSS2_RC_SUCCESS) {
LOG_ERROR("Failed to load intermediate key and cert %s\n", Tss2_RC_Decode(rc));
goto error_cleanup;
}
Expand Down

0 comments on commit 3aa1e49

Please sign in to comment.